Paranoid Penguin - Linux Security Challenges 2010

Security challenges and worries for 2010: we live in interesting times indeed!

In August 2005, I wrote a Paranoid Penguin column titled
“The Future of Linux Security”, in which I described what I
thought were the biggest challenges of Linux security in 2005 and the
most promising new technologies for addressing them.

In that 2005 column, I suggested that virtualization might become a more
important tool for isolating vulnerable applications and solutions than
Mandatory Access Controls (MACs), such as SELinux and AppArmor. I also
predicted that anomaly detection would become much more important than
signature-matching, as the underlying engine behind most antivirus (AV)
and intrusion detection/prevention systems (IDS/IPS).

So far, neither of those predictions has come to pass. We're still
stuck with predominately signature-based AV and IDS/IPS technologies
that are largely incapable of detecting “zero-day” malware that's too
new for anyone to have yet created a corresponding signature or against
polymorphic malware that alters itself from generation to generation.

Virtualization overwhelmingly has been driven by hardware resource
management and other operational and economic concerns rather than
security. In fact, virtualization, as most commonly deployed nowadays, is
arguably a bigger source of security issues than it is a security
tool (for example, for isolating vulnerable applications or services
from other parts of a given system).

Am I embarrassed about those predictions not panning out? Not as much
as I am disappointed. I still believe that AV and IDS/IPS
need
to evolve past signature-matching, and I still think virtualization has
the potential to be a bigger part of security solutions than it is of
security problems.

This month, more than five years since my last such overview, I'm
devoting a column to my thoughts on what constitute
some of the biggest Linux and Internet security challenges for 2010
and to my ideas on how we might address those challenges. This is by
no means a comprehensive survey (time and space didn't permit me even to
touch on mobile computing or embedded Linux, for example), but
I think you'll agree that the issues I do cover represent some of the
most far-reaching security challenges that affect not only the Linux
community in particular, but also the Internet community at large.

Assets and Attackers

Before I zero in on specific technical areas, a quick word about the
things we're defending and the people who are attacking them is in order, because
those items have changed significantly since I started writing Paranoid
Penguin. In
the old days, we were concerned primarily with preserving network and
system integrity against intruders whom we assumed were most likely to
be bored suburban teenagers or industrial spies.

Governments, of course, worried about other types of spies, but I'm
talking about civilian and corporate space (and generalizing heavily at
that). The point being, the classic attack scenario involved people
trying to remote-root compromise some Internet-facing system so they
could deface your Web site, steal proprietary information or use that
system as a platform for launching attacks on other systems, possibly
including systems “deeper inside” your internal corporate network.

We still worry about that scenario, of course. But over the past decade,
there has been an explosion in identity theft across a wide spectrum:
simple e-mail-address harvesting for the purpose of spamming;
stealing, trafficking in or illegally generating credit-card numbers for
making fraudulent purchases; full-blown assumption of other
people's names, social-security numbers (or other non-US identifiers),
bank account numbers and so forth, for the purpose of fraudulently
opening new credit accounts; laundering money gained in other criminal
activity, and so on.

Sometimes identity theft is achieved through the old-school, console-intensive
attacks of yore, against databases housing dense concentrations of such
data. Much more commonly nowadays, it involves sophisticated malware
that either infiltrates a given bank or merchant and works its way to
its databases or harvests data at the client level, possibly even
by capturing individual user's keystrokes.

Because spam, fraud and identity theft in general are so lucrative
(amounting to billions of dollars annually), it should be no surprise that
organized crime is behind a lot if not most of it. I'm speaking not only
of traditional crime organizations that also run prostitution, illegal
drug and gambling operations, but also completely new organizations
focused solely on credit-card trafficking (“carding”) and other electronic
crimes.

College students and teenagers still fit into the equation, but in many
cases, they're working for scary people, for real money. The people writing
the trojans, worms and viruses that do so much of the heavy lifting
in these attacks are, in many cases, highly skilled programmers earning
much more than the people who write anti-malware and firewall software!

This is our new security landscape. The situation is no more or less
unwinnable than it was ten years ago, and sure enough, ecommerce
and Internet traffic in general still are churning along more or less
smoothly. But, we need to pay attention to these trends for that to continue
to be the case.

So, how do these trends in the asset and attacker equation affect the
defense equation?